The activities listed under STEP 2 are minimum requirements. If the risk assessment requires further measures, these will be carried out locally.
Awareness initiatives can be performed in many ways (e-learning, quizzes, lessons, posters, videos, leaflets, etc.), and they are an important part of creating a good security culture locally.
Risk management and consequences of any possible incidents should be balanced against the unit management’s risk tolerance.
Information and information assets must be secured using appropriate measures based on a risk assessment and in accordance with data classification.